Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    April 2014
    S M T W T F S
    « Mar    
     12345
    6789101112
    13141516171819
    20212223242526
    27282930  
  • About Us
    TrendLabs Security Intelligence Blog(breadcrumbs are unavailable)

    Author Archive - Rainer Link (Senior Threat Researcher)




    There are reports of a zero-day exploit code out in the wild for client side RealPlayer and Helix Player. A format string vulnerability found in the said media players can be exploited to execute malicious codes in the affected system. A specially crafted media, which include the .RP (realpix) and the .RT (realtext) file formats, can trigger the vulnerability.

    It is also quoted in the exploit code that RealPlayer was informed about the vulnerability. However, the exploit code was released to the public before RealPlayer came up with a patch for the problem. The author of the exploit apologized for the untimely release of the code as quoted below.

    “Real have been duely informed about this issue and are fixing. Sadly though, it seems someone is trying to pinch my research, as such I have been forced to release this advisory sooner than hoped. Until Real get a new release out, do not play untrusted media with RealPlayer or HelixPlayer. Sorry Real.com!

    Moral of the story, don’t talk about personal research on IRC. Thank you plagiarizers”

     
    Posted in Bad Sites | Comments Off



    Hearing Ben Edelman speak about tricky EULAs and the legalities of these contracts yesterday made me realize that these programs can’t twist our arm. They cannot sue clients who uninstalled the bundled spyware from their systems (while retaining the program of choice) just because the EULA specified otherwise. He said that the purpose of these EULAs are not really for clients but for antispyware companies, to give us second thoughts in tagging these products as spyware. But as a client, what can you do? Ben says that you have every right to know what is installed in your PC because that is your territory. And some cases, the installation details are already in the EULA… you just have to read all of it! Or do you really have to?

    Enter the EULAlyzer… It’s not really your super-savvy tool that can determine that the package that you are installing is totally hogwash, but it is quite useful for us who are allergic to reading gazillions of pages of EULAs. It’s also dons a very user-friendly interface.

    Example:

    Here’s a walkthrough in EULAlyzing Grokster:

    I get to the Grokster License agreement… And my allergies start showing



    I open the EULAlyzer and drag the crosshair to the text area of Grokster’s EULA.. and it’s ready to be EULAlyzed!



    Then, I click the analyze button and some strings get flagged…



    Then, I expand the “+” on the left side of the flagged text and check out the sneaky things



    And somehow I’m not so happy anymore… Oh well, I still need to read the EULA to verify the context of the statements flagged by the EULAlyzer, but hey, at least I already got a glimpse of those sneaky things and I have an idea of what I’m putting into my PC. And I can even save the sneaky EULA for future purposes.

    Note: The EULAlyzer is a product of Javacool Software LLC. You can read more about this and download it fromtheir site.


    Thanks to Mr. Daves Espia for the Heads up.

     
    Posted in Bad Sites | Comments Off


    Sep27
    11:21 am (UTC-7)   |    by


    As of time of writing, no security firm or individual has been able to confirm the credibility of the report. The security community awaitedly asking for the binaries of the much hyped worm to further prove to the public that they really exists but even the individual (Vlad) who claims that his machine has been infected can not provide one.

    Vlad had even posted a TCPDump of the said activity of the Wi-Fi worm but what is noticeable upon skimming through the log is the fact that there is no 802.11 traffic that can be extracted from the log because all are Ethernet traffic.

    I guess this issue has been so much a hyped just to get the attention of some individuals/firms. I’d say he has succeeded even this early because even people from Internet Storm Center has devoted time to do some passive analysis on the area.

    But, nobody has been able to provide consistent and real proofs.
    As of time of writing, no security firm or individual has been able to confirm the credibility of the report. The security community awaitedly asking for the binaries of the much hyped worm to further prove to the public that they really exists but even the individual (Vlad) who claims that his machine has been infected can not provide one.

     
    Posted in Bad Sites | Comments Off




    This new symbian malware is similar to other symbian malware in the sense that it overwrites normal files in the system in order to destroy them. However, it has a particularly interesting characteristic where it attempts to spread infection to a computer running in Windows OS. This is because this malware drops these 4 files into the E: directory (which is the memory card):


    fsb.exe – BKDR_BERBEW.Q
    buburuz.ICO – Icon file for the memory card
    autorun.inf – file used to automatically execute fsb.exe
    SYSTEM.exe – WORM_WUKILL.B


    Thus, when the memory card is inserted into a Windows computer, the file autorun.inf will attempt to execute fsb.exe. Also, the file SYSTEM.exe may not have an automatic startup routine, but since it has the icon of a folder, this could be executed by an unsuspecting user who wants to open this “folder”.

    Note: This malware will be detected as SYMBOS_CARDTRP.A


    Dropped Files

    • E:DOCUME~1BimLOCALS~1TempMKS0CARIBE.SIS – already detected as SymbOS_CABIR.A
    • E:SYSTEM.exe – already detected as WORM_WUKILL.B
    • E:fsb.exe – already detected as BKDR_BERBEW.Q
    • E:SystemAppsWILDSKINWILDSKIN.App
    • C:SystemAppsWALLETAVMGMTWALLETAVMGMT.App
    • C:SystemAppsVoicerecorderVoicerecorder.app
    • C:SystemAppsVoiceRecVoiceRec.app
    • C:SystemAppsVMVm.app
    • C:SystemAppsVideorecorderVideoRecorder.app
    • C:SystemAppsVCommandVCommand.app
    • E:SystemAppsUVSMStyleUVSMStyle.App
    • E:SystemAppsUltraMP3UltraMP3.App
    • C:SystemAppsTodoTodo.app
    • E:SystemAppsSystemExplorerSystemExplorer.App
    • C:SystemAppssSaversSaver.App
    • C:SystemAppsSpeedDialSpeeddial.app
    • E:SystemAppsSounderSounder.App
    • C:SystemAppsSnakeExSnakeEx.app
    • E:SystemAppsSmsMachineSmsMachine.App
    • E:SystemAppsSmartMovieSmartMovie.App
    • E:SystemAppsSmartAnswerSmartAnswer.App
    • C:SystemAppsSimDirSimDir.app
    • E:SystemAppsScreenCapScreenCap.app
    • C:SystemAppsSatUiSatui.app
    • E:SystemAppsRingMasterRingMaster.App
    • C:SystemAppsRealPlayerRealPlayer.app
    • E:SystemAppsRallyProContestRallyProContest.App
    • E:SystemAppsPVPlayerPVPlayer.App
    • C:SystemAppsPslnPSLN.app
    • C:SystemAppsProfileAppProfileApp.app
    • C:SystemAppsPinboardPinboard.app
    • E:SystemAppsPhotoSMSPhotoSMS.App
    • E:SystemAppsPhotoSafePhotoSafe.App
    • E:SystemAppsPhotographerPhotographer.app
    • E:SystemAppsPhotoEditorPhotoEditor.app
    • C:SystemAppsPhotoAlbumPhotoAlbum.app
    • E:SystemAppsphotoacutephotoacute.App
    • C:SystemAppsPhoneBookPhoneBook.app
    • !:SystemAppsPhoneFREAKPHONE_CAPTION.RSC
    • !:SystemAppsPhoneFREAKPHONE.RSC
    • E:SystemAppsPhoneFREAKPHONE.APP
    • E:SystemAppsPhoneFreakPhone.aif
    • C:SystemAppsNSmlDSSyncNSmlDSSync.app
    • C:SystemAppsNotepadNotepad.app
    • C:SystemAppsMusicPlayerMusicPlayer.app
    • E:SystemAppsMp3PlayerMp3Player.App
    • E:SystemAppsMp3GoMp3Go.App
    • C:SystemAppsmmpmmp.App
    • C:SystemAppsMMCAppMMCApp.app
    • C:SystemAppsMixPixMixPix.app
    • C:SystemAppsMidpUiMidpUi.app
    • E:SystemAppsMIDIEDMIDIED.App
    • !:SystemAppsMenuFreakMenu_caption.rsc
    • !:SystemAppsMenuFREAKMENU.RSC
    • !:SystemAppsMenuFREAKMENU.APP
    • E:SystemAppsMenuFreakMenu.aif
    • C:SystemAppsMediaplayerMediaPlayer.app
    • C:SystemAppsMediaGalleryMediaGallery.app
    • C:SystemAppsMCEMCE.app
    • C:SystemAppsLogsLogs.app
    • E:SystemAppslogoManlogoMan.app
    • E:SystemAppsLauncherLauncher.app
    • E:SystemAppsKPCaMainKPCaMain.App
    • E:SystemAppsJellyJelly.App
    • E:SystemAppsirremoteirRemote.App
    • C:SystemAppsIrAppIrApp.app
    • E:SystemAppsHantroCPHantroCP.App
    • E:SystemAppsHairHair.App
    • C:SystemAppsGSGS.app
    • E:SystemAppsFSCallerFSCaller.App
    • C:SystemAppsFMRadioFMRadio.app
    • C:SystemAppsFileManagerFileManager.app
    • E:SystemAppsFExplorerFExplorer.App
    • C:SystemAppsFdnFDN.app
    • C:SystemAppsFaxModemUiFaxModemUi.app
    • E:SystemAppsFaceWarpFaceWarp.App
    • E:SystemAppsextendedrecorderextendedrecorder.App
    • E:SystemAppsETIPlayerETIPlayer.App
    • E:SystemAppsETIMovieAlbumETIMovieAlbum.App
    • E:SystemAppsETICamcorderETICamcorder.App
    • C:SystemAppsCSHelpCSHelp.app
    • C:SystemAppsConverterConverter.app
    • C:SystemAppsConnectionMonitorUiConnectionMonitorUi.app
    • C:SystemAppsComposerComposer.app
    • C:SystemAppsClockAppClockApp.app
    • E:SystemAppsCFCF.app
    • E:SystemAppscamerafxCameraFX.App
    • C:SystemAppsCameraCamera.app
    • C:SystemAppsCamcorderCamcorder.app
    • E:SystemAppsCamcoderCamcoder.App
    • E:SystemAppsCallManagerCallManager.App
    • E:SystemAppscallcheatercallcheater.app
    • C:SystemAppsCalendarCalendar.app
    • C:SystemAppsCalcSoftCalcSoft.app
    • C:SystemAppsBrowserBrowser.app
    • E:SystemAppsBlueJackXBlueJackX.App
    • E:SystemAppsBlackListBlackList.App
    • C:SystemAppsAppMngrAppMngr.app
    • C:SystemAppsAppCtrlAppCtrl.app
    • E:SystemAppsAnswRecAnswRec.App
    • E:SystemAppsAD7650AD7650.App
    • C:SystemAppsAboutAbout.app
    • E:buburuz.ICO
    • E:autorun.inf
    • PopUp0.txt



    Update
    Previously, we have come to define an example of a “blended threat” as a Windows worm that either spreads via multiple propagation vectors such as email, IM, network shares and application vulnerabilities and/or a worm that has capabilities of other malwares such as file-infectors, backdoor trojans or even spywares.

    Now, we may see a slightly new encounter of another implementation of what a “blended threat” is or could be in the near future – a mobile malware that has the capability to affect the Windows platform!… Ergo, let the battlecry linger on – Let’s continue to be vigilant!

    As Raimund Genes, Trend Micro Chief Technologist Anti-Malware has said. “As mobile threats continue to evolve, it’s likely that we will see further attacks similar to this, but utilizing more robust propagation techniques and therefore carrying a higher potential for infection.”

     
    Posted in Bad Sites | Comments Off




    You must have heard that there are a number of new variants of the long lived WORM_BAGLE. Well, that’s because of UPolyX.

    UPolyX is not new, in fact its first version UPolyX v0.1 has been around since 2004. By searching through the net, it has four (4) versions in existence.

    UPolyX is basically a scrambler. It specifically needs a UPX packed input file to produce an output file. Through its polymorphic decrypter engine, it can produce a number of different output files even on one input file. That’s why we are receiving a number of WORM_BAGLE variants from time to time.

    The latest version of the scrambler which is, UPolyX v0.5, has added some permutation module to further improve its polymorphism.

    The scrambler also implements an Executable Trash Generator or ETG that places trash (dummy instructions) in between the polymorphic decryptor and the code itself. ETG can be configured to control the number of bytes of trash to generate. ETG 1.00 is the only version known in the public and has been around since March 2000.

    From the characteristics mentioned above, it seems like the authors primary purpose is to defeat the decryptor emulation techniques of various Anti-Virus engines.

    Using this technology of the UPolyX, a detected malware can still be relived and get into the wild again.

    So far as what I have noticed, the type of samples that we received are based on this principle:

    Detected Malware + UPX + UPolyX (polymorphic decrypter + Executable Trash Generator) = New Undetected Malware


    What if some worm authors decided to embed UPolyX’s technology? Hmm.. oh well, we might have a hard time to tell which variant of the worm is in the wild!
    But, that’s just one of the possibilities, some may come along the way and that’s another story.:=)

     
    Posted in Bad Sites | Comments Off


     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice